Take Control of the Cloud
February 2010
One of the key issues in today’s highly inter-connected computing model, especially regarding Cloud Computing, is Control. In the old days, if I needed access control, I pulled together the Ops teams that managed applications to execute a plan for installing plug-ins that can both authenticate and authorize web accesses. I had control (or at least some influence!) on the applications and stacks that ran my enterprise business. But we now enter a new generation where I do not have that control. Just imagine calling Google, Salesforce.com, and Taleo to ask that they install my favorite brand of IAM plug-in on their servers! One of the first things I’d like to point out is that many IAM Vendors support deployment models that simply do not suit today’s needs. Network based IAM is the way to go. SaaS Applications require an entirely different approach.
When we talk about Virtualized Datacenters, our natural inclination is to say they are mostly no different than brick and mortar data centers. And what’s the difference if my enterprise owns and runs one as opposed to a hosting partner? The challenge I see is that the virtualization trend has gone beyond enterprises managing their own virtual machines with their own hosting infrastructure. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) have driven virtualization, standardization, and commoditization further down the stack--which has two effects. Firstly, I might not be able to install platform-specific software components like WAM plug-ins. The new trend is for these environments to provide services that are abstracted away from the underlying machines, operating systems, and applications. Secondly, even if I can install the old style IAM tools, this is missing a huge opportunity for cost savings—putting standard infrastructure for IAM into the “drinking water” is the wave of the future, and it’s going to be difficult for legacy IAM vendors to adopt.
But despite the virtues of Cloud Computing, and the fact that the Cloud visionaries are leading the wave with standards, they are often ad hoc standards (e.g., proprietary Authentication and Provisioning APIs). It will take time for the industry standards to shake out, and there remains much skepticism in the industry. So hitching your enterprise IAM strategy to a vendor that only offers one type of solution (e.g., SAML) appears risky at best. The dominant integration standards have yet to reach critical mass among SaaS vendors (e.g., SAML, WS-Fed, SPML)—and IAM Vendors are having difficulty integrating with SaaS vendors that don’t support standards. In effect, the Cloud Computing Permutations present challenges to many IAM vendors.
In closing, it’s important to understand that IAM (Identity and Access Management) spans many facets and has different meaning to different folks. While the basic building blocks may not have changed much, delivering manageable solutions with SSO, access control, provisioning, and user administration is challenging when we include the Cloud. So while creation of a user in a local Windows Domain is not fundamentally much different than doing so in a SaaS app, provisioning a user in a way that allows multiple Cloud and on-premise apps to automatically accept authentication of the user and provide SSO is indeed a challenge.
Coby Royer
Technical Product Manager
Symplified